It wasn't that long ago, in fact it was August, when I wrote this piece called "Java in the crosshairs of Enterprise Security" about the very difficult frustration of Java, and its impact (both positive and negative) on the lives of enterprises. Check out what I previously wrote, because it all still applies today with this latest big bug. Luckily, this latest bug is only exploitable in browsers ...whew! That narrows it down.
While this particular vulnerability CVE-2013-0422 is only exploitable with the browser plug-in, Java on the endpoint isn't just in your browser, by the way, it's nearly everywhere. Much to the chagrin of those in the security community who loathe it, it's in your disc players, some of your phones, cars and various other Java-run devices. The challenge for Java is in its ubiquitous nature - it's a true "write once, run everywhere" type of platform which also leads to why it's attacked and researched so heavily. Attackers know that if they find a flaw in the Java platform, they'll likely be able to write cross-device exploits and let Java handle the platform-specific internals. This doesn't really help any of us in security to sleep at night.
Another interesting aspect of Java is that the recommendations given for disabling are geared not at the enterprise, but at the end-user. I can only imagine how frustrating this can be for enterprises who manage workstations by group policy or some software delivery mechanisms. US CERT has a reasonable write-up on removing the fangs from the Java monster, and while it's not quite as simple as pushing one universal uninstall, registry key, or GPO option (mainly due to the various version and their install differences) it's do-able.
Here's the catch: some enterprises absolutely rely on Java on the desktop to get business done. In fact, if you work as an Information Security professional the odds are quite good that you're opening up a Java-based applet to manage your network security device... So the advice to simply remove or permanently disable Java sounds like a great idea until you consider your reality.
Is Java going away in the enterprise any time soon? I doubt it... the industry has been calling for its demise for a long time but it's still around. In fact, until something (possibly HTML5) comes along that provides the functionality that Java provides along with the ubiquitous nature of the platform, it's going to be very hard to replace it, and so we're left in the lurch.
A few thoughts...
- "Power Users" (the security-conscious and willing) will likely disable Java altogether if it isn't required in day-to-day activities
- Some people will opt to have a browser (I use Internet Explorer) which is the only one that still runs Java and is never used except for corporate apps (carefully set as not the default browser, etc)
- Java enterprise users will need network-level support to catch the attacks as soon as there are workable active signatures for the attacks... Which is all the more reason to proxy all of your Internet traffic (where possible)
- Some enterprises will simply disable Java enterprise-wide, or maybe even uninstall it via their software management products and tools... until some 3rd party app comes along that requires Java to view your yearly W2 or access your payroll profile
- Corporate support will continue to be a nightmare
- Home users will probably never see this and never disable Java. (It comes pre-installed on many Windows-based operating systems and be exploited, which is why exploit research like this is done.) Their anti-virus likely won't protect them from the attack either because they haven't updated the product in years, it's broken or they simply have a poor product in place
What Oracle needs is to build in a more robust method for enterprise management of Java, or at least a simplified interface for scripted tools to detect, update, control and/or remove the software. I think Java can be a good thing, if Oracle can invest the time in securing the platform. But there is still an alarmingly large pile of work to be done to make it "enterprise ready."
We, as security professionals, can't just say things like "disable/remove Java" haphazardly because it's a necessary component of many enterprises. We need a real alternative to mitigate the risks that Java may pose... even if the answer is temporarily disabling the plug-in while Oracle gets its act together.
Andrew Storms, Director of Security Operations at nCircle is just as frustrated...
"Java’s not going to go away on corporate desktops anytime soon, so the best we can hope for is a way to manage it more effectively.
Corporate security needs mitigation advance to reduce the risks associated with any serious vulnerability while vendors deliver a patch, this is true for all corporate software. Since the recent Java attack vectors have been confined to browsers the obvious mitigation tactic is to disable Java in the browser. Oracle probably thought they ‘solved’ the mitigation problem by delivering a control panel that allows the user to enable or disable Java in browser.
I have news for Oracle -- without a way to manage this setting centrally this ‘mitigation’ is almost useless. Asking tens of thousands, or even several hundred corporate users, to open a control panel and unclick a check box is ridiculous. I’m not sure what kind of thought process created this option over in Redwood Shores, but I doubt Oracle’s own security team uses this method to control corporate desktop software configurations.
This response has left corporate IT rummaging through their Java installations hoping to find some secret sauce in the registry that will make it possible for them to control Java’s behavior on the desktop. So far, we’ve all come up empty handed."
What do you think? Are you struggling to tame the Java beast in your medium or large enterprise?
Any tips, suggestions or hints you'd like to share?
- Network World "Oracle releases emergency Java patch"
- Chicago Tribune "Homeland Security urges computer users to disable Java"